Re: Config::Loader and HTML::StripScripts

Tue, 26 Jun 2007 08:56:16 -0700 


On Jun 26, 2007, at 11:09 AM, Clinton Gormley wrote:


        allowScriptAccess="never"
        allownetworking="internal"



I don't know what those are :)

<object> tags are removed by default, and you would still need to
subclass HTML::StripScripts in order to allow those elements.


The Rules (for safety's sake) are applied after the standard  
parsing has
already happened, and object's are not allowed because they are  
just too
risky. So if you want to do that, subclass the WHITELIST  
INITIALIZATION

METHODS and add the relevant config in there.


already doing that...


those are placed in object AND embed tags (i don't recall if embed  
are off by default)
regardless, it might make sense to mention them in the docs as  
they're in a grey-area and something to be wary of when enabling  
objects.



allowScriptAccess locks the flashplayer down- it can't call any js  
functions or do any document writes/etc.  without it, its possible to  
have a .swf file that onload starts rewriting the page to load in  
external js files and then write them into the document body (thereby  
avoiding any js xss safeguards).  thats how a lot of old 'skinning'  
and 'tracking' was done - people would write mini-apps hiddin in a  
1x1 swf file that would manipulate the dom and do whatever data  
exchange is needed.  it can be pretty insidious.



allowNetworking, i think, disables what getURL can do.  i could be  
wrong on that one, but i believe that is the command that locks down  
what swf files can redirect browsers to ( same domain as html or any  
or none )



// Jonathan Vanasco


| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - - - - -

|   CEO/Founder SyndiClick Networks

| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - - - - -

|     Founder/CTO/CVO
|      FindMeOn.com - The cure for Multiple Web Personality Disorder
|      Web Identity Management and 3D Social Networking

| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - - - - -

|      RoadSound.com - Tools For Bands, Stuff For Fans
|      Collaborative Online Management And Syndication Tools

| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
- - - - - - - - - - - - - - - - - - -

























					Reply via email to